data is never verified

[calvinmetcalf]

you never _flush the decryption stream

[MattSurabian]

I didn't explicitly define flush though I suppose I should and just have it call final(). Ultimately though the data should be verified as it's my understanding that calling setAuthTag ensures that any data that doesn't verify results in final being thrown.

From the docs:

 If no tag is provided or if the ciphertext has been tampered with, final will throw, thus indicating that the ciphertext should be discarded due to failed authentication.

Maybe my understanding of the inner workings here are wrong. I didn't actually verify this assumption in the source.

Either way I'm opening a PR now to add _flush and explicitly call .final

[MattSurabian]

Given the change in #4 I think we can close this issue as it's being addressed.